Consent re-examined: Objective standards after RTM v Bonne Terre and the position in Guernsey

• Consent requires a positive opt in; pre ticked boxes or implied consent are insufficient.
  
  
• Consent must be granular, unbundled from other terms and clearly distinguishable from general contractual acceptance.
  
  
• The controller must be able to evidence who consented, when they did so, how they did so and what they were told.

The Court of Appeal’s decision in RTM v Bonne Terre Limited & Anor [2026] EWCA Civ 488 (the RTM Decision) (available here) provides important clarification on the nature of 'consent' under data protection law. In overturning the High Court’s approach, the Court of Appeal reaffirmed that consent is to be assessed on objective grounds, rejecting a subjective analysis focused on the data subject’s own decision making. 

Although the RTM Decision is not binding in Guernsey, the principles align with guidance on the question of consent (available here)  issued by the Office of the Data Protection Authority in Guernsey (the Consent Guidance) pursuant to the Data Protection (Bailiwick of Guernsey) Law, 2017 (as amended) (the DP Law).

This article outlines the main principles arising from the RTM Decision, before considering how consent is approached under Guernsey law.

The RTM Decision 

The central issue before the Court of Appeal was whether consent has a subjective dimension, such that it depends on the actual state of mind of the individual data subject. The Court answered that question firmly in the negative.

The Court of Appeal determined that consent is constituted by an outward indication of the data subject’s wishes, by a statement or clear affirmative action, which signifies agreement to the relevant processing. The appropriate question is whether the data subject gave consent, judged objectively by reference to what they did and what was communicated between the parties. It is neither necessary nor correct to inquire into what was “actually in the mind” of the individual data subject at the time.

This approach applies consistently across GDPR and predecessor regimes.

To establish valid consent, the controller must prove that the indication relied upon was: (i) freely given; (ii) specific; (iii) informed; and (iv) unambiguous

Crucially, each of these characteristics is assessed objectively. The analysis focuses on the quality of the consent mechanism, the information provided and the structural relationship between the parties, rather than on the individual’s subjective understanding, or decision making ability.

The fact that a data subject may be vulnerable does not, of itself, invalidate consent. A controller’s actual or constructive knowledge of such vulnerability also does not form part of the test of whether or not consent was properly given.

The position in Guernsey

Consent under the DP Law very closely mirrors the GDPR definition. It is also defined as a freely given, specific, informed and unambiguous indication of the data subject’s wishes, signified by a clear affirmative action. As in the RTM Decision, the burden rests on the controller to demonstrate that valid consent has been obtained.

The Consent Guidance aligns closely with the objective approach endorsed by the Court of Appeal.

The ODPA confirm that while consent represents a high standard, it is only one of several lawful bases and is not inherently preferable. Consent is appropriate only where individuals are offered genuine choice and control.

The keyways in which the Consent Guidance is consistent with the RTM Decision is as follows:

• Consent requires a positive opt in; pre ticked boxes or implied consent are insufficient.
• Consent must be granular, unbundled from other terms and clearly distinguishable from general contractual acceptance.
• The controller must be able to evidence who consented, when they did so, how they did so and what they were told.

The 'freely given' requirement is treated as an objective assessment. The ODPA focuses on whether there is deception, pressure, compulsion, or disadvantage associated with refusal or withdrawal. 

Importantly, the Consent Guidance does not suggest that controllers must assess or prove the subjective quality of an individual’s decision making. As in the RTM Decision, the emphasis is on systems, structure, and clarity, not introspection.

Conclusion and practical impact for data controllers

The RTM Decision helps provide clarity around the concept of consent by firmly anchoring it in objective and verifiable standards. For data controllers, this has significant practical implications.

Controllers are not required to investigate, anticipate, or disprove the subjective state of mind, vulnerabilities, or decision making capacity of individual data subjects. Rather, on the key issue is whether the controller’s consent mechanisms, information provision, and means of choice satisfy the statutory requirements of being freely given, specific, informed and unambiguous when viewed objectively. 

Controllers also bear the burden of proof and must be able to demonstrate consent through contemporaneous records showing what the individual did, what information was provided and how consent could be refused or withdrawn. Well designed opt in mechanisms, clear separation of consent from other terms, and robust audit trails are therefore not merely good practice but essential risk mitigation tools.

Finally, the alignment between the RTM Decision and the Consent Guidance underscores that, in both England and Guernsey, consent is not a default or catch all solution. 

For controllers, the strategic lesson is clear: consent should be relied upon selectively, engineered carefully, and documented rigorously, with a clear understanding that its validity depends on objective structure and process and not retrospective inquiries into an individual's state of mind.